The Hacker News — Cyber Security, Hacking, Technology News

After the discovery of a critical vulnerability that could have allowed hackers to view private Yahoo Mail images, Yahoo retired the image-processing library ImageMagick.

ImageMagick is an open-source image processing library that lets users resize, scale, crop, watermarking and tweak images. The tool is supported by PHP, Python, Ruby, Perl, C++, and many other programming languages.

This popular image-processing library made headline last year with the discovery of the then-zero-day vulnerability, dubbed ImageTragick, which allowed hackers to execute malicious code on a Web server by uploading a maliciously-crafted image.

Now, just last week, security researcher Chris Evans demonstrated an 18-byte exploit to the public that could be used to cause Yahoo servers to leak other users' private Yahoo! Mail image attachments.

'Yahoobleed' Bug Leaks Images From Server Memory

The exploit abuses a security vulnerability in the ImageMagick library, which Evans dubbed "Yahoobleed #1" (YB1) because the flaw caused the service to bleed contents stored in server memory.

To exploit the vulnerability, all an attacker need to do is create a maliciously crafted RLE image, and send it to the victim's email address, and then create a loop of empty RLE protocol commands, prompting the leakage of information.

To show how it is possible to compromise a Yahoo email account, Evans, as a proof-of-concept (PoC) demonstration, created a malicious image containing 18-byte exploit code and emailed it as an email attachment to himself.

Once the attachment reached the Yahoo's email servers, ImageMagick processed the image to generate thumbnails and previews, but due to the execution of Evans' exploit code, the library generated a corrupt image preview for the image attachment.

Once this image attachment is clicked, it launched the image preview pane, causing the service to display portions of images that were still present in the server's memory, instead of the original image.

"The resulting JPEG image served to my browser is based on uninitialized, or previously freed, memory content," Evans said.

Unlike Heartbleed and Cloudbleed that were due to out-of-bounds server side memory content leaks, Evans said Yahoobleed makes use of uninitialized or previously freed, memory content.

"The previous bleed vulnerabilities have typically been out-of-bounds reads, but this one is the use of uninitialized memory," Evans said. "An uninitialized image decode buffer is used as the basis for an image rendered back to the client."

"This leaks server-side memory. This type of vulnerability is fairly stealthy compared to an out-of-bounds read because the server will never crash. However, the leaked secrets will be limited to those present in freed heap chunks."

Yahoo Retires 'Buggy' ImageMagick Library

After Evans had submitted his 18-byte exploit code to Yahoo, the company decided to retire the ImageMagick library altogether, rather than fixing the issue.

Evans also warned of another version of Yahoobleed, dubbed Yahoobleed2, which was the due to Yahoo's failure to install a critical patch released in January 2015. He said the flaws combined could allow attackers to obtain browser cookies, authentication tokens, and private images belonging to Yahoo Mail users.

Evans was awarded a bug bounty payment of $14,000 -- $778 per byte for his exploit code -- by the tech giant, who decided to double the bounty to $28,000 after knowing Evans intention to donated his reward to a charity.

After Yahoo has been aware of the issue, Evans reported the vulnerability to the ImageMagick team, who released ImageMagick version 7.0.5-1 two months ago with a fix for the issue.

So, Other widely used Web services using the ImageMagick library are likely still vulnerable to the bug and are advised to apply the patches as soon as possible.

In the digital world, it just takes one click to get the keys to the kingdom.

Do you know spear-phishing was the only secret weapon behind the biggest data breach in the history?

It’s true, as one of the Yahoo employees fell victim to a simple phishing attack and clicked one wrong link that let the hackers gain a foothold in the company's internal networks.

You may be familiar with phishing attacks — an attempt to steal user credentials or financial data — while, Spear-phishing is a targeted form of phishing in which attackers trick employees or vendors into providing remote-access credentials or opening a malicious attachment containing an exploit or payload.

Here's how the Yahoo's massive data breach was traced back to human error and who were the alleged masterminds behind this hack.

While the indictment provided details on the 2014 Yahoo hack, the FBI officials recently gave a fresh insight into how the two officers from the Russian Federal Security Service (FSB) hired two hackers to gained initial access to Yahoo in early 2014.

Here's How the Yahoo Hack Initiated:

The hack began with a "Spear Phishing" e-mail sent to a "semi-privileged" Yahoo employees and not the company's top executives early in 2014.

Although it is unclear how many Yahoo employees were targeted in the attack and how many emails were sent by the hackers, it only takes one employee to click on either a malicious attachment or a link, and it gave attackers direct access to Yahoo's internal networks.

Since the Account Management Tool did not allow for simple text searches of usernames, the hackers began identifying targets based on their recovery email address.

Once identified, the hackers then used stolen cryptographic values called "nonces" to generate forged access cookies for specific user accounts, giving both the FSB agents and Belan access to users’ email accounts without the need for any password.

According to the FBI, those cookies were generated many times between 2015 and 2016 to access "more than 6,500 Yahoo accounts," out of the roughly 500 million accounts.

Victims Targeted by the Russian Spies:

According to the indictment, among other foreign webmail and Internet-related service providers, the Russian spies accessed the Yahoo accounts belonging to:

An assistant to the deputy chairman of Russia.

An officer in Russia's Ministry of Internal Affairs.

A trainer working in Russia's Ministry of Sports.

Russian journalists.

Officials of states bordering Russia.

U.S. government workers.

An employee of a Swiss Bitcoin wallet company.

A U.S. airline worker.

FBI special agent John Bennett told a news conference that Yahoo first approached the bureau in 2014, regarding the hack and was "great partners" during its investigation.

However, the company took two years to go public in December 2016 with details of the data breach and advised hundreds of millions of its customers to change their passwords.

Baratov was arrested on Tuesday by the Toronto Police Department, while Belan and the two FSB officers are in Russia. The United States has requested all the three to be handed over to face charges, but the US has no extradition treaty with Russia.

Hardly a day goes without headlines about any significant data breach. In past year, billions of accounts from popular sites and services, including LinkedIn, Tumblr, MySpace, Last.FM, Yahoo!, VK.com were exposed on the Internet.

Now, according to the recent news, login credentials and other personal data linked to more than one Million Yahoo and Gmail accounts are reportedly being offered for sale on the dark web marketplace.

The online accounts listed for sale on the Dark Web allegedly contain usernames, emails, and plaintext passwords. The accounts are not from a single data breach; instead, several major cyber-attacks believed to have been behind it.

The hacker going by the online handle 'SunTzu583' has listed a number of cracked email packages on a series of dark websites, HackRead reported.

The data listed for sale by SunTzu583 has not been independently verified by The Hacker News, but has reportedly been checked by matching it to the data on a number of data breach notification platforms, including Hacked-DB and HaveIBeenPwned.

Here's What All You Can Do:

Needless to say, you should immediately change almost all your account passwords at least once.

Also enable two-factor authentication for all your online accounts immediately.

And once again, a strong recommendation: Don't Reuse Passwords.

Also, you are recommended to change your password every few months, which limits how long a stolen password is useful to a hacker.

Since no one can remember and recreate strong passwords for every single online account regularly, the best practice is to use a good password manager. It will generate, store and change regularly strong, unique passwords for all your accounts.

Yahoo has just revealed that around 32 million user accounts were accessed by hackers in the last two years using a sophisticated cookie forging attack without any password.

These compromised accounts are in addition to the Yahoo accounts affected by the two massive data breaches that the company disclosed in last few months.

The former tech giant said that in a regulatory filing Wednesday that the cookie caper is likely linked to the "same state-sponsored actor" thought to be behind a separate, 2014 data breach that resulted in the theft of 500 Million user accounts.

"Based on the investigation, we believe an unauthorized third party accessed the company's proprietary code to learn how to forge certain cookies," Yahoo said in its annual report filed with the US Securities and Exchange Commission (SEC).

"The outside forensic experts have identified approximately 32 million user accounts for which they believe forged cookies were used or taken in 2015 and 2016. We believe that some of this activity is connected to the same state-sponsored actor believed to be responsible for the 2014 security incident."

"Forged cookies" are digital keys that allow access to accounts without re-entering passwords.

Instead of stealing passwords, hackers trick a web browser into telling Yahoo that the victim had already logged in by forging little web browser tokens called cookies.

Yahoo revealed the cookie caper in December last year, but the news was largely overlooked, as the statement from Yahoo provided information on a separate data breach that occurred in August 2013 involving more than 1 Billion Yahoo accounts.

In a statement, the company said the hackers might have stolen names, email addresses, hashed passwords, telephone numbers, dates of birth, and, in some cases, encrypted or unencrypted security questions and answers.

Yahoo began warning its customers just last month that some state-sponsored actors had accessed their Yahoo accounts by using the sophisticated cookie forging attack.

However, the good news is that the forged cookies have since been "invalidated" by Yahoo so they cannot be used to access user accounts.

Yahoo's CEO Marissa Mayer Loses Bonus

In the meantime when Yahoo revealed about the scope of the cookie caper, Yahoo CEO Marissa Mayer said she would forgo her annual bonus, which is US$2 Million, and any 2017 equity award, which is usually about $12 Million of stock, in response to the security incidents occurred during her tenure.

"When I learned in September 2016 that a large number of our user database files had been stolen, I worked with the team to disclose the incident to users, regulators, and government agencies," Mayer wrote in a note published Monday on Tumblr.

"However, I am the CEO of the company and since this incident happened during my tenure, I have agreed to forgo my annual bonus and my annual equity grant this year and have expressed my desire that my bonus be redistributed to our company’s hardworking employees, who contributed so much to Yahoo’s success in 2016."

Besides this, Yahoo's general counsel and secretary Ronald Bell also resigned as of Wednesday after the company revealed that "senior executives and relevant legal staff were aware that a state-sponsored actor had accessed certain user accounts by exploiting the Company’s account management tool."

The ongoing revelation of security incidents in the company has hit Yahoo's credibility badly. Just last month, Yahoo and Verizon Communications Inc. agreed to reduce the price of the upcoming acquisition deal by $350 Million in the wake of the two data breaches.

The deal, which was previously finalized at $4.8 Billion, now valued at about $4.48 Billion in cash and is expected to close in the second quarter.

Recently Yahoo disclosed a three-year-old massive data breach in its company that exposed personal details associated with more than 1 Billion user accounts, which is said to be the largest data breach of any company ever.

The new development in Yahoo!'s 2013 data breach is that the hacker sold its over Billion-user database on the Dark Web last August for $300,000, according to Andrew Komarov, Chief Intelligence Officer (CIO) at security firm InfoArmor.

Komarov told the New York Times that three different buyers, including two "prominent spammers" and the third, is believed to be involved in espionage tactics paid $300,000 to gain control of the entire database.

The hacker group that breached Yahoo and sold the database is believed to based in Eastern Europe, but the company still does not know if this information is accurate or not.

Beside full names, passwords, date of births and phone numbers of 1 Million Yahoo users, the database also includes backup email addresses and, in some cases, unencrypted security questions and answers that could provide quick access to users accounts via password reset option.

The database is still up for sale, though its price is believed to have dropped substantially after Yahoo went public with the data breach announcement and triggered a password reset. Interested buyers might now have to pay $20,000 for the full Yahoo database.

Komarov also said his company obtained a copy of the Yahoo database earlier this year, and got in touch with the law enforcement authorities in the United States and other countries in the European Union, Canada, and Australia.

Komarov said his company did not go to Yahoo directly "because the internet giant was dismissive of the security firm when approached by an intermediary," adding that he didn't trust Yahoo to investigate the data breach thoroughly.

"Personal information and contacts, e-mail messages, objects of interest, calendars and travel plans are key elements for intelligence-gathering in the right hands," Komarov was quoted as saying.

"The difference of Yahoo hack between any other hack is in that it may really destroy your privacy, and potentially have already destroyed it several years ago without your knowledge."

Yahoo users are strongly recommended to reset their passwords and invalidate affected security questions as soon as possible.

Also, in case you are using the same password and answers for security questions somewhere else, change them too urgently.

In his blog post published today, the researcher demonstrated how a malicious attacker could have sent the victim's inbox to an external site, and created a virus that attached itself to all outgoing emails by secretly adding a malicious script to message signatures.

Since the malicious code is in the message's body, the code will get executed as soon as the victim opens the boobytrapped email and its hidden payload script will covertly submit victim's inbox content to an external website controlled by the attacker.

This issue is because Yahoo Mail failed to properly filter potentially malicious code in HTML emails.

"It would be possible to embed a number of HTML attributes that are passed through Yahoo's HTML filter and treated specially," Pynnönen says in his blog post.

Pynnönen says he found the vulnerability by force-feeding all known HTML tags and attributes in order to the filter that Yahoo uses to weed out malicious HTML, but certain malicious HTML code managed to pass through.

"As a proof of concept I supplied Yahoo Security with an email that, when viewed, would use AJAX to read the user's inbox contents and send it to the attacker's server," Pynnönen says.

Pynnönen reported a similar vulnerability in the web version of the Yahoo! Mail service earlier this year for which he earned $10,000. He also reported a stored XSS vulnerability in Flickr to Yahoo in December 2015 for which he earned $500.

Yahoo! has disabled automatic email forwarding -- a feature that lets its users forward a copy of incoming emails from one account to another.

The company has faced lots of bad news regarding its email service in past few weeks. Last month, the company admitted a massive 2014 data breach that exposed account details of over 500 Million Yahoo users.

If this wasn't enough for users to quit the service, another shocking revelation came last week that the company scanned the emails of hundreds of millions of its users at the request of a U.S. intelligence service last year.

That's enough for making a loyal Yahoo Mail user to switch for other rival alternatives, like Google Gmail, or Microsoft's Outlook.

Yahoo Mail Disables Auto-Forwarding; Making It Hard to Leave

But as Yahoo Mail users are trying to leave the email service, the company is making it more difficult for them to transition to another email service.

That's because since the beginning of October, the company has disabled Yahoo Mail's automatic email forwarding feature that would allow users to automatically redirect incoming emails from their Yahoo account to another account, reported by the Associated Press.

All of a sudden it's under development? Here's what a post on the company's help page reads about the feature's status:

"This feature is under development. While we work to improve it, we've temporarily disabled the ability to turn on Mail Forwarding for new forwarding addresses. If you've already enabled Mail Forwarding in the past, your email will continue to forward to the address you previously configured."

In other words, only users who already had the feature turned ON in the past are out of this trouble, but users who are trying to turn ON automatic email forwarding now have no option.

Yahoo has shared the following statement about the recent move:

"We're working to get auto-forward back up and running as soon as possible because we know how useful it can be to our users. The feature was temporary disabled as part of previously planned maintenance to improve its functionality between a user’s various accounts. Users can expect an update to the auto-forward functionality soon. In the meantime, we continue to support multiple account management."

Yahoo is trying to save its Verizon Acquisition Deal

The move to turn off the email forwarding option could be an attempt to keep its customers’ accounts active because any damage to the company at this time is crucial when Yahoo seeks to sell itself to Verizon.

The Yahoo acquisition deal has not yet closed, and Verizon Communications has reportedly asked for a $1 Billion discount off of Yahoo's $4.83 Billion sales price.

As a workaround, you could switch on your vacation responder instead to automatically reply to emails with a note about your new email address.

Delete Your Yahoo Account Before It's Too Late

You can also forego the forwarding process and simply delete your Yahoo Mail account entirely, until and unless Yahoo disables that option, too.

As the Reg media reports that British Telecoms customers, whose email had been outsourced to Yahoo, have not been able to set up automatic email forwarding or even access the option to delete their accounts.

"Sorry, the delete feature is currently unavailable. This feature will become available by the end of September," the error message reads.

It seems like it is not all over for Yahoo yet. Another day, another bad news for Yahoo!

Verizon, which has agreed to purchase Yahoo for $4.8 Billion, is now asking for a $1 Billion discount, according to recent reports.

The request comes after Verizon Communications learned about the recent disclosures about hacking and spying in past few weeks.

Just two weeks ago, Yahoo revealed that at least a half Billion Yahoo accounts were stolen in 2014 hack, marking it as the biggest data breach in history.

And if this wasn't enough, the company faced allegations earlier this week that it built a secret tool to scan all of its users' emails last year at the behest of a United States intelligence agency.

Due to these incidents, AOL CEO Tim Armstrong, who runs the Verizon subsidiary, is "pretty upset" about Yahoo's lack of disclosure, and is even seeking to pull out of the deal completely or cut the price, the New York Post claimed, citing multiple sources.

"In the last day, we've heard that Tim [Armstrong] is getting cold feet," a source reportedly told the Post. "He's pretty upset about the lack of disclosure, and he's saying can we get out of this or can we reduce the price?"

Armstrong is reportedly discussing a price reduction with Yahoo executives, though Yahoo is pushing back, claiming a "deal is a deal" and there's no legal recourse to change the terms, according to the paper.

Both Verizon and Yahoo have yet to comment on the matter.

Verizon announced the Yahoo acquisition deal in July, with the intention of merging it with AOL. The company is thinking to combine Yahoo and AOL to form a third force to compete with Google and Facebook for digital advertising.

The acquisition deal is supposed to close early next year, merging Yahoo's search, advertising, content, and mobile operations with AOL to reach 1 Billion users.

Yahoo might have provided your personal data to United States intelligence agency when required.

Yahoo reportedly built a custom software programmed to secretly scan all of its users' emails for specific information provided by US intelligence officials, according to a report by Reuters.

The tool was built in 2015 after company complied with a secret court order to scan hundreds of millions of Yahoo Mail account at the behest of either the NSA or the FBI, according to the report that cites three separate sources who are familiar with the matter.

According to some experts, this is the first time when an American Internet company has agreed to such an extensive demand by a spy agency's demand by searching all incoming emails, examining stored emails or scanning a small number of accounts in real time.

The tool was designed to search for a specific set of character strings within Yahoo emails and "store them for remote retrieval," but it's unclear exactly what the spies were looking for.

However, the US intelligence agency approached the company again in 2015 with a court order came in the form of a "classified directive" that was sent to Yahoo's legal team.

So Secretive Even Yahoo Security Team was Unaware of It

The email search tool was so secretive that even Yahoo's own security team was unaware of the program.

Yahoo Chief Executive Marissa Mayer and Yahoo General Counsel Ron Bell not only decided to comply with the directive rather than fighting it back, but they also did not even involve Yahoo's security team in the process, the report suggests.

Instead, Mayer and Bell asked Yahoo's email engineers to write a secret software program to siphon off messages containing the specific character string the spies demanded and stored them for remote retrieval, according to the sources.

Therefore, when Yahoo's security team discovered the program in May 2015, the team initially thought some hackers had broken in.

'Unhappy' Chief Information Security Officer Left Yahoo Immediately

When Yahoo's Chief Information Security Officer Alex Stamos found out that Mayer had authorized the surveillance program, he resigned from the company, telling his subordinates that "he had been left out of a decision that hurt users' security."

Stamos now works for Facebook.

Here's what Yahoo said in a brief statement in response to Reuters demand:

"Yahoo is a law-abiding company, and complies with the laws of the United States."

The company declined any further comment.

It is most likely that other Internet companies may have also received a similar court order because the spy agency did not know which the target was using email service.

And since the NSA usually makes requests for domestic surveillance through the FBI, it is hard to say which agency was seeking the information.

This news comes just weeks after Yahoo announced the company was the victim of a "state-sponsored" cyber attack that leaked the personal details of more than 500 million of its users.

That's how many Yahoo accounts were compromised in a massive data breach dating back to 2014 by what was believed to be a "state sponsored" hacking group.

Over a month ago, a hacker was found to be selling login information related to 200 million Yahoo accounts on the Dark Web, although Yahoo acknowledged that the breach was much worse than initially expected.

"A recent investigation by Yahoo! Inc. has confirmed that a copy of certain user account information was stolen from the company's network in late 2014 by what it believes is a state-sponsored actor," reads the statement.

Yahoo is investigating the breach with law enforcement agency and currently believes that users' names, email addresses, dates of birth, phone numbers, passwords, and in some cases, encrypted and unencrypted security questions-answers were stolen from millions of Yahoo users.

However, the company does not believe the stolen information includes credit card information or any bank details of the affected users.

Yahoo has been criticized for its slow response to the data breach, but it is now in the process of notifying affected customers via emails and asking them to change their passwords, as well as security questions.

At this moment Yahoo did not provide any evidence on why it believed the breach was work of state-sponsored hackers.

Despite millions of people affected by the breach, the biggest victim here seems to be Yahoo itself.

The data breach reports come just as the company is trying to negotiate a deal to sell itself to Verizon for $4.8 Billion. So, if the breach reports negatively impact its share price, even for the time being, it could cost the company and its shareholders a slice of its buyout value.

Over past few months, a large number of data breaches have been reported to plague companies like LinkedIn, MySpace, Tumblr, and VK.com as hackers put up for sale massive data dumps of user credentials stolen earlier in the decade.

Change your Password and Use Password Manager

Needless to say, users should immediately change their Yahoo account password. The company will also be prompting anyone who hasn't changed their password since 2014 to do so now.

"Additionally, Yahoo asks users to consider using Yahoo Account Key, a simple authentication tool that eliminates the need to use a password altogether," Yahoo suggests.

Also make sure that you also change your passwords on other online accounts if they use the same password, and enable two-factor authentication for online accounts immediately.

And once again, a strong recommendation: Don't reuse passwords.

If you are unable to remember different passwords for each site, you can adopt a good password manager that allows you to create complex passwords for various sites as well as remember them for you.

We have recently listed some best password managers that could help you understand the importance of password managers and help you choose a suitable one, according to your requirement.